In the past, fairly common programming errors called dangling pointers were often seen as quality control problems rather than security issues. In 2005, for example, a dangling pointer in Internet Information Server 5.1 was reported to Microsoft, but remained unpatched for two years, even though these kinds of bugs have the ability to crash a system and present a serious security threat.

Dangling pointers occur when a programmer creates, uses, and then frees an object in memory, but does not change the object's pointer value accordingly -- in this case, to a null pointer. Instead, the pointer inaccurately refers to the memory location of the de-allocated memory. The pointer is considered to be "dangling" since it points to memory that may no longer hold a valid object. Because the memory may contain completely different data, unpredictable behavior can result when a programmer mistakenly dereferences the pointer to access the object.

Experts at online risk management company

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

And we have seen how damaging and effective buffer overflow attacks can be. Corrupted data structures, information leaks, privilege escalation and execution of malicious code are all possible exploits when an attacker meddles with computer memory. Although dangling pointers can probably be found in most mature applications, hackers are going to focus on Web server applications because they often contain a high volume of sensitive data.

Dangling pointers can be very difficult for programmers to locate since they often corrupt unrelated data or cause system instabilities long after they are created. The bugs are most prevalent in low-level languages such as C and C++. In higher-level languages like Java and C#, dangling pointers cannot occur. Here, pointers are handled automatically, and implicit garbage collection occurs when an object is eliminated. Developers using languages without some form of automatic handling of pointers need to reassess their application development processes. All pointers need to be set to a null pointer after use.

Smart pointers are popular data types that can better manage memory. A smart pointer typically uses reference counting to reclaim objects. Reference-counting mechanisms calculate the smart pointers that refer to the same object, and once the count equals zero, the object is deleted.

Some other defensive measures include the "tombstones method" and the "locks-and-keys method." Once an object is dead, an associated tombstone can provide automatic nullification of any pointers that may be referencing it. In a locks-and-keys scenario, pointer access is determined by comparing the two values of a pair of ordered keys. Other available products like Valgrind, a suite of debugging equipment, and the Boehm-Demers-Weiser garbage collector, a tool that cleans up code, can also help prevent dangling pointers.

Since dangling pointers can no longer be considered a benign problem, developers need to adjust software development processes so that dangling pointers are prevented from reaching production code. Because the problem may become too serious to leave until the quality control stage, protective measures should be placed earlier in the development lifecycle. With high-level languages, the process will be relatively straightforward. For those developing and maintaining programs in other languages, relying on the above-mentioned best practices is recommended.

About the author:Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several SearchSecurity.com Security Schools and, as a SearchSecurity.com site expert, answers user questions on application security and platform security.

Disclaimer:
Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

The PCI Security Standards Council has confirmed that PCI DSS 3.1 will be released in just a few weeks. According to a Gartner analyst, the surprise new release could cause major problems for merchants.

News roundup: The ban of "booth babes" at RSA Conference 2015 has been met with praise; does it equal an increase of women in infosec? Plus: Cyberthreat data-sharing bill advances; Flash flaw exploited days after patching; new twist on Google Play app vetting.

Social engineering techniques have become increasingly sophisticated as more personal and corporate data is shared on the Internet, and traditional training techniques may not be enough to keep enterprises safe.